silent installed PAM Client cannot be launched by Domain Users

Document ID : KB000124793
Last Modified Date : 16/01/2019
Show Technical Document Details
Introduction:
Customer has PAM Client registered in their Software Distribution Catalogue for silent installation to Domain member windows machines.
The installation works fine but when a Domain User logon to the Windows machine to launch the PAM Client it does not launch.
Is there any requirement with PAM Client Silent Installation for Domain Users?
Question:
Customer has PAM Client registered in their Software Distribution Catalogue for silent installation to Domain member windows machines.
The installation works fine but when a Domain User logon to the Windows machine to launch the PAM Client it does not launch.
Is there any requirement with PAM Client Silent Installation for Domain Users?
Answer:
The installation inherits the parent folder permissions.
Generally you can assign "Everyone" the full permission to that PAM Client home directory would resolve the permission problem.
If you are unable to provider "Everyone" full permission to that folder due to security reasons you can customize your Software Distribution script to assign specific Domain accounts to have full permission to that folder using "icacls".

For example:
icacls %PAM_CLIENT_FOLDER% /remove:d /grant %END_USER_ACCOUNT%:(OI)(CI)F /T

%PAM_CLIENT_FOLDER% is the PAM Client installation folder.
%END_USER_ACCOUNT% is the end user domain account
/remove:d would remove any explicit DENY permission that might have been set which might conflict with the end user permission
(OI)(CI)F would give FULL permission to any new files/folders that might be created in the future
/T applies this to existing files/folders currently exist